Senate Tosses Cybersecurity Ball to Obama's Court

Sen. Harry Reid no doubt knew there wouldn't be 60 votes to bring the Cybersecurity Act of 2012 to the Senate floor for a full vote, but on Wednesday he moved to do so anyway, and the legislation was once again stalled. It's likely that President Obama will issue some executive orders to implement certain measures of the bill rather than allow the cybersecurity issue to languish.

By Erika Morphy
11/15/12 2:59 PM PT

Well, that was fast. About 24 hours after Sen. Harry Reid, D-Nev., said he would move to bring the once-failed Cybersecurity Act of 2012 to the Senate floor for a vote, its opponents shot it down again.

Reid's procedural motion to move the bill forward was rejected 51-47 on Wednesday.

A Controversial Measure

The bill, introduced by Sen. Joe Lieberman, I-Conn., and Sen. Susan Collins, R-Maine, includes several controversial elements that have attracted a wide-ranging and potent group of opponents.

The current version would allow the Department of Homeland Security to intercept telecommunications transiting federal networks and provide for more information sharing between the private sector and the government. The bill also would have give corporations more legal authority to monitor customers' activities.

Companies deemed to be critical cyberinfrastructure providers would be subject to new regulations. The bill also would allow firms victimized by cyberattacks to enjoy immunity from any resulting lawsuits, subject to their having met all the security requirements established in the legislation.

Opponents aligned against it on various grounds, ranging from what they considered an unacceptably high burden of new regulations to concerns that the measure would erode privacy.

The Threat of Cyberattacks

The bill's authors and other proponents have maintained that its provisions are essential to protect the nation's infrastructure against a cyberattack.

"In all my years on the Homeland Security Committee, I cannot think of another issue where the vulnerability is greater and we've done less," said Sen. Collins in a statement provided by spokesperson ER Anderson to TechNewsWorld after the bill's defeat.

Experts have repeatedly warned that the computer systems that run such critical infrastructure as the electric grid, pipelines, water systems, financial networks and transportation systems are vulnerable to a major cyberattack, she noted.

The Pros and Cons

There are distinct pros and cons to the legislation.

The cyberthreat is a fast-evolving, complex and serious problem, and the Cybersecurity Act of 2012 would have been useful by establishing binding targets that firms must meet, said Scott J. Shackelford, assistant professor of business law and ethics at Indiana University's
Kelley School of Business

On the other hand, since the cyberthreat is so rapidly changing, there is a case to be made that the Department of Homeland Security should not have the power to set binding performance requirements.

"This would put the government in the business of picking winners and losers," Shackelford told TechNewsWorld. "To meet this critique, some -- including myself -- prefer outcome-based regulations rather than prescriptive regulations, reinforcing industry best practices."

There are also those who prefer that the National Security Agency take the lead in enhancing U.S. cybersecurity, he noted, rather than the DHS.

Partisan Warfare

The issue of cybersecurity has fallen victim to the partisan divide in Congress.

"On its surface, cybersecurity should not be a partisan issue," Shackelford said. "Indeed, early on it seemed that the Cybersecurity Act of 2012 enjoyed broad bipartisan support. But over time it has been drawn into the old debate about the proper role for government."

What's Next?

It is widely assumed that President Obama will implement some of the bill's measures by executive order.

However, that is not the ideal scenario, said Alexander H. Southwell, former cybercrime prosecutor and cochair of Gibson Dunn & Crutcher's nformation technology and data privacy practice.

"I think there are some elements, such as the information-sharing, that the bill's proponents feel are best addressed by law and not executive order," he told TechNewsWorld.

It's unlikely that Reid and the bill's sponsors were surprised by its defeat.

"I don't think this vote was a case of Reid not understanding how many votes he had," Southwell remarked. "Rather, I think the backers feel the bill is too important to leave sidelined."

The controversy over it was almost inevitable, given its complex and multifaceted nature.

"There are so many overlapping and complicating issues that as a legislative measure, it became very challenging" said Southwell. "What often happens to these bills is that people try to put everything in them."